The following is the first few sections of a chapter from Android's Architecture Components, plus headings for the remaining major sections, to give you an idea about the content of the chapter.

Securing Your Room

Room, by default, works with the device’s stock copy of SQLite. This is fine, as far as it goes. However, from a security standpoint, SQLite stores its data unencrypted. Many apps should be considering encrypting their data “at rest”, when it is stored in a database, to protect their users.

Fortunately, as noted in an earlier chapter, Room supports a pluggable SQLite implementation, and so we can plug in a SQLite edition that supports encryption, such as SQLCipher for Android. This chapter will outline how to do this.

Meet the Players

There are two pieces to the encrypted-database puzzle: a SQLite implementation with encryption capability, and the “glue code” that allows Room to work with that SQLite implementation.

SQLCipher for Android

Since SQLite is public domain, it is easy for people to grab the source code and hack on it. SQLite also offers an extension system, making it relatively easy for developers to add functionality with a minimal number of changes to SQLite’s core code. As a result, a few encryption options for SQLite have been published.

One of these is SQLCipher, whose development is overseen by Zetitec. This offers transparent AES-256 encryption of everything in the database: data, schema, etc.

With the help of the Guardian Project, Zetitec released SQLCipher for Android. This combines a pre-compiled version of SQLite with Java classes that mimic an old edition of Android’s native SQLite classes (e.g., SQLiteOpenHelper). SQLCipher for Android is open source, and if you can live with the increase in app size due to the native binaries, it is an effective solution.

However, it knows nothing about Room.


To fill that gap, the author of this book has released CWAC-SafeRoom. This is an implementation of Room’s pluggable database API to bridge between Room and SQLCipher for Android. Using SQLCipher for Android then becomes mostly a matter of a single method call on the RoomDatabase.Builder to use the CWAC-SafeRoom code — everything else works as normal.

That being said, at the time of this writing, the latest releases of Room and the support databse API are both 1.1.0, and CWAC-SafeRoom is 0.4.0. These are early days for both libraries, and so changes may occur either at the Room or the CWAC-SafeRoom level.

Using CWAC-SafeRoom

The preview of this section was the victim of a MITM ('Martian in the middle') attack.

More to Come!

The preview of this section is sleeping in.